Former Tor developer created malware for the FBI to hack Tor users

How does the U.S. government beat Tor, the anonymity software used by millions of people around the world? By hiring someone with experience on the inside.

A former Tor Project developer created malware for the Federal Bureau of Investigation that allowed agents to unmask users of the anonymity software.

Matt Edman is a cybersecurity expert who worked as a part-time employee at Tor Project, the nonprofit that builds Tor software and maintains the network, almost a decade ago.

Since then, he’s developed potent malware used by law enforcement to unmask Tor users. It’s been wielded in multiple investigations by federal law-enforcement and U.S. intelligence agencies in several high-profile cases.

“It has come to our attention that Matt Edman, who worked with the Tor Project until 2009, subsequently was employed by a defense contractor working for the FBI to develop anti-Tor malware,” the Tor Project confirmed in a statement after being contacted by the Daily Dot.

In 2008, Edman joined the Tor Project as a developer to work on Vidalia, a piece of software meant to make Tor easier for normal users by implementing a simple user interface. He was a graduate student then, pursuing a Ph.D. in computer science that he would obtain in 2011 from Rensselaer Polytechnic Institute.

The Baylor University graduate became part of the close-knit pro-privacy community, attending the developer meetings and contributing significantly to Tor’s codebase. He wrote and contributed to research papers with the creators of Tor and helped other members in their work building privacy tools. According to the Tor Project, however, “Vidalia was the only Tor software to which Edman was able to commit changes.”

Tor dropped Vidalia in 2013, replacing it with other tools designed to improve the user experience.

Edman joined the project the same day as Jacob Appelbaum, the hacker and journalist famous for his work with WikiLeaks and Edward Snowden, the former NSA contractor who leaked a trove of documents to the press in 2013, as well as Tor.

By 2012, Edman was working at Mitre Corporation as a senior cybersecurity engineer assigned to the FBI’s Remote Operations Unit, the bureau’s little-known internal team tapped to build or buy custom hacks and malware for spying on potential criminals. With an unparalleled pedigree established from his time inside the Tor Project, Edman became an FBI contractor tasked with hacking Tor as part of Operation Torpedo, a sting against three Dark Net child pornography sites that used Tor to cloak their owners and patrons.

Tor works by encrypting Internet traffic so that users can hide their identity when accessing the open and free Web. It is also used to visit Dark Net sites, like those targeted by Operation Torpedo, that are inaccessible with standard browsers. Tor is used by millions of people, including soldiers, government officials, human rights activists, and criminals. The Tor Project gives instruction and education to law enforcement around the world on how to use and work with the software. FBI agents even use the software themselves.

Tor is widely considered one of the most important and powerful Internet privacy tools ever made. The project has received the majority of its funding from the U.S. government.

“This is the U.S. government that’s hacking itself, at the end of the day,” ACLU technologist Chris Soghoian told the Daily Dot in a phone interview. “One arm of the U.S. government is funding this thing, the other is tasked with hacking it.”

Mitre Corporation, where Edman did at least some of his work for the FBI, is a private nonprofit that makes nearly $1.5 billion annually, according to its annual reports, from its work on security with the U.S. Department of Defense and a host of other federal agencies.

Mitre occupies a paradoxical space in the cybersecurity world. It maintains the industry-standard list of Common Vulnerabilities and Exposures (CVE), meant to help share transparent security data to beat hackers across the tech world. But it’s also being paid by the federal government to develop and deploy hacks.

That seeming contradiction hasn’t gone unnoticed. “They’re supposed to play this important and trusted role in the cybersecurity community,” Sogohian said. “On the other hand they’re developing malware which undermines their trusted role.”

At Mitre, Edman worked closely with FBI Special Agent Steven A. Smith to customize, configure, test, and deploy malware he called “Cornhusker” to collect identifying information on Tor users. More widely, it’s been known as Torsploit.

Cornhusker used a Flash application to deliver a user’s real Internet Protocol (IP) address to an FBI server outside the Tor network. Cornhusker—so named because the University of Nebraska’s nickname is the Cornhuskers—was placed on three servers owned by Nebraska man Aaron McGrath, whose arrest sparked the the larger anti-child-exploitation operation. The servers ran multiple anonymous child pornography websites.

The malware targeted the Flash inside the Tor Browser. The Tor Project has long warned against using Flash as unsafe but many people—including the dozens revealed in Operation Torpedo—often make security mistakes, just as they do with all types of software.

Operation Torpedo netted 19 convictions and counting, and it resulted in at least 25 de-anonymized individuals.

During the trial of Kirk Cottom, a 45-year-old from Rochester, New York, who would plead guilty to receiving and accessing with intent to view child pornography, the defense asked to see the source code—the human-readable code written by programmers that makes the software tick—behind Cornhusker. The defense wanted a look at the tool that pointed the finger at Cottom. The FBI said it lost the source code. Special Agent Smith insisted he never instructed anyone to destroy the code. The judge said the loss was “unfortunate” but “ultimately of little consequence.”

According to court documents, Cornhusker is no longer in use. Since then, newer FBI-funded malware has targeted a far wider scope of Tor users in the course of investigations. Both Cornhusker and newer techniques, dubbed bulk hacking, have been criticized for their lack of congressional or public oversight.

In addition to working on Operation Torpedo, Edman also did dozens of hours of work on the federal case against Silk Road, the first major Dark Net marketplace, and its convicted creator Ross Ulbricht. According to testimony, it was Edman who did the lion’s share of the job tracing $13.4 million in bitcoins from Silk Road to Ulbricht’s laptop, which played a key role in Ulbricht being convicted and sentenced to two life terms in federal prison. Edman worked as a senior director at FTI Consulting at the time.

The Tor malware Edman developed in Operation Torpedo for the FBI has been used in multiple “high-profile” investigations, according to a biography of Edman.

“He has been recognized within law enforcement and the United States Intelligence Community as a subject-matter expert on cyber investigations related to anonymous communication systems, such as Tor, and virtual currencies like Bitcoin,” notes his company biography for Berkley Research Group, where Edman works as director in New York. “As part of his work, he assembled and led an interdisciplinary team of researchers that developed a state-of-the-art network-investigative technique that was successfully deployed and provided critical intelligence in multiple high-profile law enforcement cyber investigations.”

Edman’s résumé also includes a stint as a senior vulnerability engineer at Bloomberg L.P. in New York City, where he did penetration testing of the firm’s network. According to his biography, he also offers special expertise on subjects like Tor and Bitcoin.

Today, at Berkeley Research Group, Edman works next to former federal prosecutor Thomas Brown as well as three former FBI agents, all of whom worked on the Silk Road case directly with Edman: Thomas Kiernan, Ilhwan Yum, and Christopher Tarbell.

Edman did not respond to a request for comment.

Editor’s note: This post has been updated to add clarity on the nature of the malware and Tor Project’s involvement with law enforcement.